In March, the Criminal Division of the U.S. Department of Justice (DOJ) announced several policy updates consistent with the initiatives announced in the September 2022 memorandum by Deputy Attorney General Lisa O. Monaco (the Monaco Memo).[1] Specifically, DOJ released:
-
A three-year “Compensation Incentives and Clawbacks Pilot Program” that will go into effect on March 15, 2023;[2]
-
Updated guidance on the Evaluation of Corporate Compliance Programs;[3] and
-
A “Revised Memorandum on Selection of Monitors in Criminal Division Matters” (the Monitor Memo).[4]
The clawbacks pilot program and elements of the updated Evaluation of Corporate Compliance Programs provide more details regarding DOJ expectations related to the role of incentives and clawbacks in compliance programs and as part of remediation during DOJ investigations of potential wrongdoing by companies. The pilot program also offers companies potential benefits in DOJ penalty calculations if companies pursue clawbacks of compensation from employees deemed responsible for conduct under investigation.
The Evaluation of Corporate Compliance Programs also provides additional details regarding DOJ expectations of companies’ management of corporate data on employees’ personal devices and when using third-party applications—especially those with end-to-end encryption or features that automatically delete communications. DOJ continues to emphasize that enforcement authorities consider companies’ abilities to produce such data during investigations to be a key component in DOJ assessments of whether such companies have fully cooperated.
The Monitor Memo updates DOJ’s policies on monitor selection and management to conform with policies announced by the Monaco Memo, such as including self-disclosure as a factor in determining whether a monitor is necessary and confirming that “prosecutors should not apply presumptions for or against monitors.”
Policies and guidance on compensation incentives and clawbacks
The clawbacks pilot program and the Evaluation of Corporate Compliance Programs seek to incentivize companies to link compliance with employee compensation.
Clawbacks pilot program: Potential penalty credits for clawbacks
The clawbacks pilot program’s main development is an offer by the DOJ to “provide fine reductions to companies who seek to claw back compensation from corporate wrongdoers.”[5] As described by Monaco, at the time a disposition occurs, “the resolving company will pay the applicable fine, minus a reserved credit equaling the amount of compensation the company is attempting to claw back from culpable executives and employees.” The company will then be allowed to keep any money clawed back during the time period of the resolution (for example, in a three-year deferred prosecution agreement), thus reducing the total fine by that amount. The pilot program also gives prosecutors discretion to “accord a reduction of up to 25% of the amount of compensation the company attempted [unsuccessfully] to clawback” by the end of the resolution period.[6] Any reserved funds not clawed back or given credit would then be paid to the government.
The program sets out several considerations and requirements for companies that seek to avail themselves of this potential benefit. To qualify, companies’ clawback efforts must target personnel “who engaged in wrongdoing in connection with the conduct under investigation, or . . . who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct.”[7] The company must have initiated such efforts “before the time of resolution,” that is, during the investigation. And such efforts must be in “good faith”—a term that gives prosecutors significant discretion since it is not further defined in the guidance.
Significantly, the potential credit for clawbacks does not include the often-substantial litigation and other costs of pursuing clawback actions against individual executives. Any resulting reduction in fines is limited to the actual compensation retrieved. The program also does not speak to other challenges, such as relevant employment laws or the fact that often such compensation has been taxed, invested, or spent.
Recognizing that companies must continue to contend with relevant market forces, DOJ now expects compensation systems to specifically tie bonuses and other incentives to established compliance metrics and explicitly allow for clawbacks when potential noncompliance is detected—including when internal or government investigations occur.
Compliance evaluation guidance: Questions for prosecutors on incentives and discipline
The Evaluation of Corporate Compliance Programs includes a retitled section on “Compensation Structures and Consequence Management” (previously “Incentives and Disciplinary Measures”) with revisions that focus on how companies incentivize compliance and hold violators accountable. The entire section is worth a review by compliance professionals. Key aspects and related considerations are:
Explicit financial and other incentives rewarding compliance leadership. The guidance states that prosecutors should “consider whether a company has incentivized compliance by designing compensation systems . . . tied to conduct consistent with company values and policies.” Among the relevant (and helpful) questions asked by the guidance are:
-
“What percentage of executive compensation is structured to encourage enduring ethical business objectives?”
-
“Has the company evaluated whether commercial targets are achievable if the business operates within a compliant and ethical manner?”
-
“What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization?”
In addition to financial incentives, the guidance also directs prosecutors to examine other “positive incentives, such as promotions [and] rewards . . . for improving and developing a compliance program or demonstrating ethical leadership” and “whether a company has . . . offered opportunities for managers and employees to serve as a compliance ‘champion.’” Such nonfinancial incentives can be as important to building a compliance culture as financial benefits, and the guidance’s recognition of this fact gives companies a broader canvas to demonstrate a commitment to compliance in ways that can be less complex or fraught than compensation-based metrics.
Use of clawbacks and other consequence management mechanisms. The guidance instructs prosecutors to ask, “Does the company have policies or procedures in place to recoup compensation that would not have been achieved but for misconduct attributable directly or indirectly to the executive or employee?” Additional questions for prosecutors focus on whether the company has a policy in place for recouping compensation and actual examples of actions taken.
Communications of compliance expectations and consequences to employees. The guidance instructs prosecutors to look at “the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct.” One of several questions related to such communications is: “What policies and practices does the company have in place to put employees on notice that they will not benefit from any potential fruits of misconduct?” There is also an increased focus on whether and how a company has internally messaged on disciplinary actions taken.
While publication of disciplinary actions for compliance-related violations can create “deterrent effects” and provide assurances that employees at different levels are being treated similarly, the guidance’s various questions may underplay or unduly question legitimate reasons for companies to restrict such information. Most important, various applicable laws—especially in jurisdictions with strong data privacy protections—restrict the public dissemination of even basic information for discipline.
Use of metrics to monitor consistency of discipline. As has been the case with earlier versions of the guidance, there is a section on whether “disciplinary actions and incentives [have] been fairly and consistently applied across the organization.” New language has been added to the metrics used by the company “to ensure consistency of disciplinary measures across all geographies, operating units, and levels of the organization,” which continues DOJ’s emphasis on the use of data to track effectiveness and test programs.
Ensuring effectiveness. More generally, the guidance introduces a new section that asks questions regarding how the company has “ensured effective consequence management of compliance violations in practice.” Areas of inquiry include evaluations of substantiation of hotline reports across company units or countries of operation, “root cause analysis into areas where certain conduct is comparatively over or under reported,” timing and consistency of investigation processes, and “How much compensation has in fact been impacted (either positively or negatively) on account of compliance-related activities?”
The main other noteworthy change to the Evaluation of Corporate Compliance Programs is an addition to the “Independence and Empowerment” section of company compliance and investigation personnel. New questions ask whether “compensation for [such] employees [is] structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company,” as well as whether compensation and promotion decisions for such personnel have a sufficient degree of independence.
Clawbacks pilot program: New “Attachment C” requirements
The clawbacks pilot program instructs that “when entering into criminal resolutions [such as plea agreements, deferred prosecution agreements, or non-prosecution agreements], companies will be required to implement compliance-related criteria in their compensation and bonus system and to report to the [DOJ] about such implementation during the term of such resolutions.”[8] The pilot program states that such criteria could include:
-
“A prohibition on bonuses for employees who do not satisfy compliance performance requirements;
-
“Disciplinary measures for employees who violate applicable law and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct; and
-
“Incentives for employees who demonstrate full commitment to compliance processes.”
The categories of compensation criteria noted above are (likely deliberately) vague. While additional details on this aspect of the pilot program will likely be forthcoming in future corporate cases, the recent disposition involving Danske Bank’s anti-money laundering controls deficiencies may provide an early model.[9] Attachment C to the Danske Bank’s plea agreement contains language requiring the bank to “implement evaluation criteria related to compliance in its executive review and bonus system so that each . . . executive is evaluated on what the executive has done to ensure that the executive’s business or department is in compliance with” the bank’s compliance program and applicable laws.
Guidance on management of information on messaging applications and personal devices
The Evaluation of Corporate Compliance Programs also addresses new DOJ expectations regarding company policies on employees’ use of messaging applications (such as WhatsApp, Telegram, or other services) for company business and the management and retention of company information on employees’ personal devices.
Overall, the guidance states that company policies on these issues “should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.” The guidance then sets out various questions that prosecutors should ask in three categories:
-
“Communications channels”: What types of “electronic communication channels” are used by company employees and whether employees use different channels in different countries? An example is the use by Chinese personnel of the Chinese messaging service WeChat, which is not extensively used in other jurisdictions. For each channel, “what preservation or deletion settings are available to each employee,” and what company policies apply?
-
“Policy environment” and rationales: What company policies exist to ensure preservation of data and communications in various situations, such as ephemeral message deletion settings, replacement of company devices, and use of personal devices under, for example, bring-your-own-device policies? What “relevant code of conduct, privacy, security, and employment laws or policies . . . govern the organization’s ability to ensure security or monitor/access business-related communications” and allow for (or limit) the company’s ability to review company data on personal devices or third-party applications? And are relevant data retention policies being followed in practice?
-
“Risk management”: What consequences have employees faced for not following existing policies in this area, and has employees’ “use of personal devices or messaging applications . . . impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?”
Considering new guidance in this area, companies should consider the following steps:
-
Assess all electronic communications channels that employees are using outside of company record-keeping systems;
-
Determine which (if any) of these channels can be appropriately used for company business and make clear and train employees on any restrictions;
-
Update or introduce policies that create an appropriate retention period for all company data that may be contained in those channels, as well as consider and adopt methods by which “employees should [regularly] transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems” consistent with applicable laws and regulations;
-
Establish clear and appropriate consequences for employees who do not follow these policies and conduct training on the policies and consequences;
-
Develop plans for monitoring/auditing employees’ compliance with relevant policies; and
-
Take appropriate action regarding employee noncompliance and keep records of such actions.
Monitor selection
The Criminal Division’s March 1, 2023, Monitor Memo reiterates policy changes indicated by the earlier Monaco Memo related to increasing transparency on the selection of corporate monitors, among other issues. The new memo specifically communicates that (1) the Criminal Division will not apply a presumption in favor of or against the imposition of a monitor; (2) many requirements for monitors will likewise apply to monitor teams; (3) “monitor selections are and will be made in keeping with the Department’s commitment to diversity, equity, and inclusion”; and (4) monitors will now be required to wait three years (rather than two) from monitorship termination before engaging in any sort of professional relationship with the company that they monitored.
The Monitor Memo also provided additional information on the monitor selection process; it provided 10 “non exhaustive factors” for prosecutors to consider in assessing the need for a monitor in a corporate resolution.
Takeaways
-
The U.S. Department of Justice (DOJ) will credit corporate efforts to clawback compensation from executives found to have acted improperly in an investigation. Credit is not guaranteed, and the sometimes-significant fees and costs associated with clawing back are not included.
-
DOJ is looking for companies to take concrete steps to tie their compensation programs to compliant behavior.
-
DOJ expects companies to implement policies on the use of messaging apps that are “tailored to the corporation’s risk profile and specific business needs” but maximize data preservation and accessibility “to the greatest extent possible.”
-
As part of ensuring a compliant data retention program, DOJ expects companies to have trained employees on the applicable policies and to impose consequences for noncompliance.
-
Consider the 10 nonexhaustive factors laid out in the Monitor Memorandum for determining the appropriateness of a monitor in the context of a corporate resolution as part of your internal process for evaluating your compliance program.